Hello everyone,
We are setting up a new Timestamping Authority and we are looking for
specific rules that apply to certificates and subCA Certificates related
to timestamping. While reading various standards and the CA/B Forum
documents, and after looking at various existing implementations of
publicly-trusted CAs, I have some questions and would appreciate any
feedback from the forum. Although the BRs apply to SSL certificates,
some Root Certificates might be used for both SSL and timestamping
services. So the questions that follow, apply to CAs that use the same
Root Certificate for both SSL and timestamping purposes. Of course, the
EV CodeSigning requirements also define some rules for "EV Timestamp
Authorities".
1. Section 6.1.7 of the Baseline Requirements states that the Root CA
Private Keys MUST NOT be used to sign end-entity certificates with
some exceptions. This exception list does not specifically mention
end-entity certificates with EKU id-kp-timeStamping. Are Root CAs
allowed to directly issue end-entity certificates for timestamping
authorities (end-entity certificates with EKU only id-kp-timeStamping)?
2. Section 4.9.7 describes the CRL issuance frequency for Subscriber
and Subordinate CA Certificates. If there is a Subordinate CA
Certificate constrained with EKU id-kp-timeStamping, is an
end-entity certificate (with only id-kp-timeStamping) issued from
that subCA considered a "Subscriber" Certificate? Should this subCA
issue CRLs every 7 days or every 12 months? My understanding
(according to section 1.1 of the BRs) is that the end-entity
certificates from that subCA are not required to comply with the
CA/B Forum BRs. This should allow the CA to choose the CRL issuance
(from that restricted subCA), to exceed the 7-day requirement.
Thank you in advance.
Dimitris Zacharopoulos.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
